mirrors/dnscrypt-proxy
1
0
Fork 0
mirror of https://github.com/DNSCrypt/dnscrypt-proxy.git synced 2025-04-04 21:57:44 +03:00
Code Issues Projects Releases Packages Wiki Activity

Unofficially support DoH/ODoH over HTTP

Browse source
This commit is contained in:
Frank Denis 2023-09-05 22:37:11 +02:00
parent 87571d4a7f
commit 8bea679e7b
1 changed files with 34 additions and 25 deletions
Download patch file Download diff file Expand all files Collapse all files

59
dnscrypt-proxy/serversInfo.go
View file

@ -854,10 +854,17 @@ func _fetchODoHTargetInfo(proxy *Proxy, name string, stamp stamps.ServerStamp, i
if msg.Rcode != dns.RcodeNameError { if msg.Rcode != dns.RcodeNameError {
dlog.Criticalf("[%s] may be a lying resolver", name) dlog.Criticalf("[%s] may be a lying resolver", name)
} }
protocol := "http"
protocol := tls.NegotiatedProtocol tlsVersion := uint16(0)
if len(protocol) == 0 { tlsCipherSuite := uint16(0)
protocol = "http/1.x" if tls != nil {
protocol = tls.NegotiatedProtocol
if len(protocol) == 0 {
protocol = "http/1.x"
} else {
tlsVersion = tls.Version
tlsCipherSuite = tls.CipherSuite
}
} }
if strings.HasPrefix(protocol, "http/1.") { if strings.HasPrefix(protocol, "http/1.") {
dlog.Warnf("[%s] does not support HTTP/2", name) dlog.Warnf("[%s] does not support HTTP/2", name)
@ -865,37 +872,39 @@ func _fetchODoHTargetInfo(proxy *Proxy, name string, stamp stamps.ServerStamp, i
dlog.Infof( dlog.Infof(
"[%s] TLS version: %x - Protocol: %v - Cipher suite: %v", "[%s] TLS version: %x - Protocol: %v - Cipher suite: %v",
name, name,
tls.Version, tlsVersion,
protocol, protocol,
tls.CipherSuite, tlsCipherSuite,
) )
showCerts := proxy.showCerts showCerts := proxy.showCerts
found := false found := false
var wantedHash [32]byte var wantedHash [32]byte
for _, cert := range tls.PeerCertificates { if tls != nil {
h := sha256.Sum256(cert.RawTBSCertificate) for _, cert := range tls.PeerCertificates {
if showCerts { h := sha256.Sum256(cert.RawTBSCertificate)
dlog.Noticef("Advertised relay cert: [%s] [%x]", cert.Subject, h) if showCerts {
} else { dlog.Noticef("Advertised relay cert: [%s] [%x]", cert.Subject, h)
dlog.Debugf("Advertised relay cert: [%s] [%x]", cert.Subject, h) } else {
} dlog.Debugf("Advertised relay cert: [%s] [%x]", cert.Subject, h)
for _, hash := range stamp.Hashes { }
if len(hash) == len(wantedHash) { for _, hash := range stamp.Hashes {
copy(wantedHash[:], hash) if len(hash) == len(wantedHash) {
if h == wantedHash { copy(wantedHash[:], hash)
found = true if h == wantedHash {
break found = true
break
}
} }
} }
if found {
break
}
} }
if found { if !found && len(stamp.Hashes) > 0 {
break dlog.Criticalf("[%s] Certificate hash [%x] not found", name, wantedHash)
return ServerInfo{}, fmt.Errorf("Certificate hash not found")
} }
} }
if !found && len(stamp.Hashes) > 0 {
dlog.Criticalf("[%s] Certificate hash [%x] not found", name, wantedHash)
return ServerInfo{}, fmt.Errorf("Certificate hash not found")
}
if len(serverResponse) < MinDNSPacketSize || len(serverResponse) > MaxDNSPacketSize || if len(serverResponse) < MinDNSPacketSize || len(serverResponse) > MaxDNSPacketSize ||
serverResponse[0] != 0xca || serverResponse[1] != 0xfe || serverResponse[4] != 0x00 || serverResponse[5] != 0x01 { serverResponse[0] != 0xca || serverResponse[1] != 0xfe || serverResponse[4] != 0x00 || serverResponse[5] != 0x01 {
dlog.Info("Webserver returned an unexpected response") dlog.Info("Webserver returned an unexpected response")